1 /* @generated by `generate-fortify-tests.lua "socket"` */ 2 3 #define _FORTIFY_SOURCE 2 4 #define TMPFILE_SIZE (1024 * 32) 5 6 #include <sys/param.h> 7 #include <sys/jail.h> 8 #include <sys/random.h> 9 #include <sys/resource.h> 10 #include <sys/select.h> 11 #include <sys/socket.h> 12 #include <sys/time.h> 13 #include <sys/uio.h> 14 #include <sys/wait.h> 15 #include <dirent.h> 16 #include <errno.h> 17 #include <fcntl.h> 18 #include <limits.h> 19 #include <poll.h> 20 #include <signal.h> 21 #include <stdio.h> 22 #include <stdlib.h> 23 #include <string.h> 24 #include <strings.h> 25 #include <sysexits.h> 26 #include <unistd.h> 27 #include <wchar.h> 28 #include <atf-c.h> 29 30 static FILE * __unused 31 new_fp(size_t __len) 32 { 33 static char fpbuf[LINE_MAX]; 34 FILE *fp; 35 36 ATF_REQUIRE(__len <= sizeof(fpbuf)); 37 38 memset(fpbuf, 'A', sizeof(fpbuf) - 1); 39 fpbuf[sizeof(fpbuf) - 1] = '\0'; 40 41 fp = fmemopen(fpbuf, sizeof(fpbuf), "rb"); 42 ATF_REQUIRE(fp != NULL); 43 44 return (fp); 45 } 46 47 /* 48 * Create a new symlink to use for readlink(2) style tests, we'll just use a 49 * random target name to have something interesting to look at. 50 */ 51 static const char * __unused 52 new_symlink(size_t __len) 53 { 54 static const char linkname[] = "link"; 55 char target[MAXNAMLEN]; 56 int error; 57 58 ATF_REQUIRE(__len <= sizeof(target)); 59 60 arc4random_buf(target, sizeof(target)); 61 62 error = unlink(linkname); 63 ATF_REQUIRE(error == 0 || errno == ENOENT); 64 65 error = symlink(target, linkname); 66 ATF_REQUIRE(error == 0); 67 68 return (linkname); 69 } 70 71 /* 72 * For our purposes, first descriptor will be the reader; we'll send both 73 * raw data and a control message over it so that the result can be used for 74 * any of our recv*() tests. 75 */ 76 static void __unused 77 new_socket(int sock[2]) 78 { 79 unsigned char ctrl[CMSG_SPACE(sizeof(int))] = { 0 }; 80 static char sockbuf[256]; 81 ssize_t rv; 82 size_t total = 0; 83 struct msghdr hdr = { 0 }; 84 struct cmsghdr *cmsg; 85 int error, fd; 86 87 error = socketpair(AF_UNIX, SOCK_STREAM, 0, sock); 88 ATF_REQUIRE(error == 0); 89 90 while (total != sizeof(sockbuf)) { 91 rv = send(sock[1], &sockbuf[total], sizeof(sockbuf) - total, 0); 92 93 ATF_REQUIRE_MSG(rv > 0, 94 "expected bytes sent, got %zd with %zu left (size %zu, total %zu)", 95 rv, sizeof(sockbuf) - total, sizeof(sockbuf), total); 96 ATF_REQUIRE_MSG(total + (size_t)rv <= sizeof(sockbuf), 97 "%zd exceeds total %zu", rv, sizeof(sockbuf)); 98 total += rv; 99 } 100 101 hdr.msg_control = ctrl; 102 hdr.msg_controllen = sizeof(ctrl); 103 104 cmsg = CMSG_FIRSTHDR(&hdr); 105 cmsg->cmsg_level = SOL_SOCKET; 106 cmsg->cmsg_type = SCM_RIGHTS; 107 cmsg->cmsg_len = CMSG_LEN(sizeof(fd)); 108 fd = STDIN_FILENO; 109 memcpy(CMSG_DATA(cmsg), &fd, sizeof(fd)); 110 111 error = sendmsg(sock[1], &hdr, 0); 112 ATF_REQUIRE(error != -1); 113 } 114 115 /* 116 * Constructs a tmpfile that we can use for testing read(2) and friends. 117 */ 118 static int __unused 119 new_tmpfile(void) 120 { 121 char buf[1024]; 122 ssize_t rv; 123 size_t written; 124 int fd; 125 126 fd = open("tmpfile", O_RDWR | O_CREAT | O_TRUNC, 0644); 127 ATF_REQUIRE(fd >= 0); 128 129 written = 0; 130 while (written < TMPFILE_SIZE) { 131 rv = write(fd, buf, sizeof(buf)); 132 ATF_REQUIRE(rv > 0); 133 134 written += rv; 135 } 136 137 ATF_REQUIRE_EQ(0, lseek(fd, 0, SEEK_SET)); 138 return (fd); 139 } 140 141 static void 142 disable_coredumps(void) 143 { 144 struct rlimit rl = { 0 }; 145 146 if (setrlimit(RLIMIT_CORE, &rl) == -1) 147 _exit(EX_OSERR); 148 } 149 150 /* 151 * Replaces stdin with a file that we can actually read from, for tests where 152 * we want a FILE * or fd that we can get data from. 153 */ 154 static void __unused 155 replace_stdin(void) 156 { 157 int fd; 158 159 fd = new_tmpfile(); 160 161 (void)dup2(fd, STDIN_FILENO); 162 if (fd != STDIN_FILENO) 163 close(fd); 164 } 165 166 ATF_TC(getpeername_before_end); 167 ATF_TC_HEAD(getpeername_before_end, tc) 168 { 169 } 170 ATF_TC_BODY(getpeername_before_end, tc) 171 { 172 #define BUF &__stack.__buf 173 struct { 174 uint8_t padding_l; 175 struct sockaddr __buf; 176 uint8_t padding_r; 177 } __stack; 178 const size_t __bufsz __unused = sizeof(__stack.__buf); 179 const size_t __len = sizeof(struct sockaddr) - 1; 180 const size_t __idx __unused = __len - 1; 181 int sock[2] = { -1, -1 }; 182 socklen_t socklen; 183 new_socket(sock); 184 socklen = __len; 185 186 getpeername(sock[0], &__stack.__buf, &socklen); 187 #undef BUF 188 189 } 190 191 ATF_TC(getpeername_end); 192 ATF_TC_HEAD(getpeername_end, tc) 193 { 194 } 195 ATF_TC_BODY(getpeername_end, tc) 196 { 197 #define BUF &__stack.__buf 198 struct { 199 uint8_t padding_l; 200 struct sockaddr __buf; 201 uint8_t padding_r; 202 } __stack; 203 const size_t __bufsz __unused = sizeof(__stack.__buf); 204 const size_t __len = sizeof(struct sockaddr); 205 const size_t __idx __unused = __len - 1; 206 int sock[2] = { -1, -1 }; 207 socklen_t socklen; 208 new_socket(sock); 209 socklen = __len; 210 211 getpeername(sock[0], &__stack.__buf, &socklen); 212 #undef BUF 213 214 } 215 216 ATF_TC(getpeername_heap_before_end); 217 ATF_TC_HEAD(getpeername_heap_before_end, tc) 218 { 219 } 220 ATF_TC_BODY(getpeername_heap_before_end, tc) 221 { 222 #define BUF __stack.__buf 223 struct { 224 uint8_t padding_l; 225 struct sockaddr * __buf; 226 uint8_t padding_r; 227 } __stack; 228 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (1); 229 const size_t __len = sizeof(struct sockaddr) - 1; 230 const size_t __idx __unused = __len - 1; 231 int sock[2] = { -1, -1 }; 232 socklen_t socklen; 233 __stack.__buf = malloc(__bufsz); 234 new_socket(sock); 235 socklen = __len; 236 237 getpeername(sock[0], __stack.__buf, &socklen); 238 #undef BUF 239 240 } 241 242 ATF_TC(getpeername_heap_end); 243 ATF_TC_HEAD(getpeername_heap_end, tc) 244 { 245 } 246 ATF_TC_BODY(getpeername_heap_end, tc) 247 { 248 #define BUF __stack.__buf 249 struct { 250 uint8_t padding_l; 251 struct sockaddr * __buf; 252 uint8_t padding_r; 253 } __stack; 254 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (1); 255 const size_t __len = sizeof(struct sockaddr); 256 const size_t __idx __unused = __len - 1; 257 int sock[2] = { -1, -1 }; 258 socklen_t socklen; 259 __stack.__buf = malloc(__bufsz); 260 new_socket(sock); 261 socklen = __len; 262 263 getpeername(sock[0], __stack.__buf, &socklen); 264 #undef BUF 265 266 } 267 268 ATF_TC(getpeername_heap_after_end); 269 ATF_TC_HEAD(getpeername_heap_after_end, tc) 270 { 271 } 272 ATF_TC_BODY(getpeername_heap_after_end, tc) 273 { 274 #define BUF __stack.__buf 275 struct { 276 uint8_t padding_l; 277 struct sockaddr * __buf; 278 uint8_t padding_r; 279 } __stack; 280 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (1); 281 const size_t __len = sizeof(struct sockaddr) + 1; 282 const size_t __idx __unused = __len - 1; 283 pid_t __child; 284 int __status; 285 int sock[2] = { -1, -1 }; 286 socklen_t socklen; 287 __child = fork(); 288 ATF_REQUIRE(__child >= 0); 289 if (__child > 0) 290 goto monitor; 291 292 /* Child */ 293 disable_coredumps(); 294 __stack.__buf = malloc(__bufsz); 295 new_socket(sock); 296 socklen = __len; 297 298 getpeername(sock[0], __stack.__buf, &socklen); 299 _exit(EX_SOFTWARE); /* Should have aborted. */ 300 301 monitor: 302 while (waitpid(__child, &__status, 0) != __child) { 303 ATF_REQUIRE_EQ(EINTR, errno); 304 } 305 306 if (!WIFSIGNALED(__status)) { 307 switch (WEXITSTATUS(__status)) { 308 case EX_SOFTWARE: 309 atf_tc_fail("FORTIFY_SOURCE failed to abort"); 310 break; 311 case EX_OSERR: 312 atf_tc_fail("setrlimit(2) failed"); 313 break; 314 default: 315 atf_tc_fail("child exited with status %d", 316 WEXITSTATUS(__status)); 317 } 318 } else { 319 ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status)); 320 } 321 #undef BUF 322 323 } 324 325 ATF_TC(getsockname_before_end); 326 ATF_TC_HEAD(getsockname_before_end, tc) 327 { 328 } 329 ATF_TC_BODY(getsockname_before_end, tc) 330 { 331 #define BUF &__stack.__buf 332 struct { 333 uint8_t padding_l; 334 struct sockaddr __buf; 335 uint8_t padding_r; 336 } __stack; 337 const size_t __bufsz __unused = sizeof(__stack.__buf); 338 const size_t __len = sizeof(struct sockaddr) - 1; 339 const size_t __idx __unused = __len - 1; 340 int sock[2] = { -1, -1 }; 341 socklen_t socklen; 342 new_socket(sock); 343 socklen = __len; 344 345 getsockname(sock[0], &__stack.__buf, &socklen); 346 #undef BUF 347 348 } 349 350 ATF_TC(getsockname_end); 351 ATF_TC_HEAD(getsockname_end, tc) 352 { 353 } 354 ATF_TC_BODY(getsockname_end, tc) 355 { 356 #define BUF &__stack.__buf 357 struct { 358 uint8_t padding_l; 359 struct sockaddr __buf; 360 uint8_t padding_r; 361 } __stack; 362 const size_t __bufsz __unused = sizeof(__stack.__buf); 363 const size_t __len = sizeof(struct sockaddr); 364 const size_t __idx __unused = __len - 1; 365 int sock[2] = { -1, -1 }; 366 socklen_t socklen; 367 new_socket(sock); 368 socklen = __len; 369 370 getsockname(sock[0], &__stack.__buf, &socklen); 371 #undef BUF 372 373 } 374 375 ATF_TC(getsockname_heap_before_end); 376 ATF_TC_HEAD(getsockname_heap_before_end, tc) 377 { 378 } 379 ATF_TC_BODY(getsockname_heap_before_end, tc) 380 { 381 #define BUF __stack.__buf 382 struct { 383 uint8_t padding_l; 384 struct sockaddr * __buf; 385 uint8_t padding_r; 386 } __stack; 387 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (1); 388 const size_t __len = sizeof(struct sockaddr) - 1; 389 const size_t __idx __unused = __len - 1; 390 int sock[2] = { -1, -1 }; 391 socklen_t socklen; 392 __stack.__buf = malloc(__bufsz); 393 new_socket(sock); 394 socklen = __len; 395 396 getsockname(sock[0], __stack.__buf, &socklen); 397 #undef BUF 398 399 } 400 401 ATF_TC(getsockname_heap_end); 402 ATF_TC_HEAD(getsockname_heap_end, tc) 403 { 404 } 405 ATF_TC_BODY(getsockname_heap_end, tc) 406 { 407 #define BUF __stack.__buf 408 struct { 409 uint8_t padding_l; 410 struct sockaddr * __buf; 411 uint8_t padding_r; 412 } __stack; 413 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (1); 414 const size_t __len = sizeof(struct sockaddr); 415 const size_t __idx __unused = __len - 1; 416 int sock[2] = { -1, -1 }; 417 socklen_t socklen; 418 __stack.__buf = malloc(__bufsz); 419 new_socket(sock); 420 socklen = __len; 421 422 getsockname(sock[0], __stack.__buf, &socklen); 423 #undef BUF 424 425 } 426 427 ATF_TC(getsockname_heap_after_end); 428 ATF_TC_HEAD(getsockname_heap_after_end, tc) 429 { 430 } 431 ATF_TC_BODY(getsockname_heap_after_end, tc) 432 { 433 #define BUF __stack.__buf 434 struct { 435 uint8_t padding_l; 436 struct sockaddr * __buf; 437 uint8_t padding_r; 438 } __stack; 439 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (1); 440 const size_t __len = sizeof(struct sockaddr) + 1; 441 const size_t __idx __unused = __len - 1; 442 pid_t __child; 443 int __status; 444 int sock[2] = { -1, -1 }; 445 socklen_t socklen; 446 __child = fork(); 447 ATF_REQUIRE(__child >= 0); 448 if (__child > 0) 449 goto monitor; 450 451 /* Child */ 452 disable_coredumps(); 453 __stack.__buf = malloc(__bufsz); 454 new_socket(sock); 455 socklen = __len; 456 457 getsockname(sock[0], __stack.__buf, &socklen); 458 _exit(EX_SOFTWARE); /* Should have aborted. */ 459 460 monitor: 461 while (waitpid(__child, &__status, 0) != __child) { 462 ATF_REQUIRE_EQ(EINTR, errno); 463 } 464 465 if (!WIFSIGNALED(__status)) { 466 switch (WEXITSTATUS(__status)) { 467 case EX_SOFTWARE: 468 atf_tc_fail("FORTIFY_SOURCE failed to abort"); 469 break; 470 case EX_OSERR: 471 atf_tc_fail("setrlimit(2) failed"); 472 break; 473 default: 474 atf_tc_fail("child exited with status %d", 475 WEXITSTATUS(__status)); 476 } 477 } else { 478 ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status)); 479 } 480 #undef BUF 481 482 } 483 484 ATF_TC(recv_before_end); 485 ATF_TC_HEAD(recv_before_end, tc) 486 { 487 } 488 ATF_TC_BODY(recv_before_end, tc) 489 { 490 #define BUF &__stack.__buf 491 struct { 492 uint8_t padding_l; 493 unsigned char __buf[42]; 494 uint8_t padding_r; 495 } __stack; 496 const size_t __bufsz __unused = sizeof(__stack.__buf); 497 const size_t __len = 42 - 1; 498 const size_t __idx __unused = __len - 1; 499 int sock[2] = { -1, -1 }; 500 501 new_socket(sock); 502 503 recv(sock[0], __stack.__buf, __len, 0); 504 #undef BUF 505 506 } 507 508 ATF_TC(recv_end); 509 ATF_TC_HEAD(recv_end, tc) 510 { 511 } 512 ATF_TC_BODY(recv_end, tc) 513 { 514 #define BUF &__stack.__buf 515 struct { 516 uint8_t padding_l; 517 unsigned char __buf[42]; 518 uint8_t padding_r; 519 } __stack; 520 const size_t __bufsz __unused = sizeof(__stack.__buf); 521 const size_t __len = 42; 522 const size_t __idx __unused = __len - 1; 523 int sock[2] = { -1, -1 }; 524 525 new_socket(sock); 526 527 recv(sock[0], __stack.__buf, __len, 0); 528 #undef BUF 529 530 } 531 532 ATF_TC(recv_heap_before_end); 533 ATF_TC_HEAD(recv_heap_before_end, tc) 534 { 535 } 536 ATF_TC_BODY(recv_heap_before_end, tc) 537 { 538 #define BUF __stack.__buf 539 struct { 540 uint8_t padding_l; 541 unsigned char * __buf; 542 uint8_t padding_r; 543 } __stack; 544 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 545 const size_t __len = 42 - 1; 546 const size_t __idx __unused = __len - 1; 547 int sock[2] = { -1, -1 }; 548 549 __stack.__buf = malloc(__bufsz); 550 new_socket(sock); 551 552 recv(sock[0], __stack.__buf, __len, 0); 553 #undef BUF 554 555 } 556 557 ATF_TC(recv_heap_end); 558 ATF_TC_HEAD(recv_heap_end, tc) 559 { 560 } 561 ATF_TC_BODY(recv_heap_end, tc) 562 { 563 #define BUF __stack.__buf 564 struct { 565 uint8_t padding_l; 566 unsigned char * __buf; 567 uint8_t padding_r; 568 } __stack; 569 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 570 const size_t __len = 42; 571 const size_t __idx __unused = __len - 1; 572 int sock[2] = { -1, -1 }; 573 574 __stack.__buf = malloc(__bufsz); 575 new_socket(sock); 576 577 recv(sock[0], __stack.__buf, __len, 0); 578 #undef BUF 579 580 } 581 582 ATF_TC(recv_heap_after_end); 583 ATF_TC_HEAD(recv_heap_after_end, tc) 584 { 585 } 586 ATF_TC_BODY(recv_heap_after_end, tc) 587 { 588 #define BUF __stack.__buf 589 struct { 590 uint8_t padding_l; 591 unsigned char * __buf; 592 uint8_t padding_r; 593 } __stack; 594 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 595 const size_t __len = 42 + 1; 596 const size_t __idx __unused = __len - 1; 597 pid_t __child; 598 int __status; 599 int sock[2] = { -1, -1 }; 600 601 __child = fork(); 602 ATF_REQUIRE(__child >= 0); 603 if (__child > 0) 604 goto monitor; 605 606 /* Child */ 607 disable_coredumps(); 608 __stack.__buf = malloc(__bufsz); 609 new_socket(sock); 610 611 recv(sock[0], __stack.__buf, __len, 0); 612 _exit(EX_SOFTWARE); /* Should have aborted. */ 613 614 monitor: 615 while (waitpid(__child, &__status, 0) != __child) { 616 ATF_REQUIRE_EQ(EINTR, errno); 617 } 618 619 if (!WIFSIGNALED(__status)) { 620 switch (WEXITSTATUS(__status)) { 621 case EX_SOFTWARE: 622 atf_tc_fail("FORTIFY_SOURCE failed to abort"); 623 break; 624 case EX_OSERR: 625 atf_tc_fail("setrlimit(2) failed"); 626 break; 627 default: 628 atf_tc_fail("child exited with status %d", 629 WEXITSTATUS(__status)); 630 } 631 } else { 632 ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status)); 633 } 634 #undef BUF 635 636 } 637 638 ATF_TC(recvfrom_before_end); 639 ATF_TC_HEAD(recvfrom_before_end, tc) 640 { 641 } 642 ATF_TC_BODY(recvfrom_before_end, tc) 643 { 644 #define BUF &__stack.__buf 645 struct { 646 uint8_t padding_l; 647 unsigned char __buf[42]; 648 uint8_t padding_r; 649 } __stack; 650 const size_t __bufsz __unused = sizeof(__stack.__buf); 651 const size_t __len = 42 - 1; 652 const size_t __idx __unused = __len - 1; 653 int sock[2] = { -1, -1 }; 654 655 new_socket(sock); 656 657 recvfrom(sock[0], __stack.__buf, __len, 0, NULL, NULL); 658 #undef BUF 659 660 } 661 662 ATF_TC(recvfrom_end); 663 ATF_TC_HEAD(recvfrom_end, tc) 664 { 665 } 666 ATF_TC_BODY(recvfrom_end, tc) 667 { 668 #define BUF &__stack.__buf 669 struct { 670 uint8_t padding_l; 671 unsigned char __buf[42]; 672 uint8_t padding_r; 673 } __stack; 674 const size_t __bufsz __unused = sizeof(__stack.__buf); 675 const size_t __len = 42; 676 const size_t __idx __unused = __len - 1; 677 int sock[2] = { -1, -1 }; 678 679 new_socket(sock); 680 681 recvfrom(sock[0], __stack.__buf, __len, 0, NULL, NULL); 682 #undef BUF 683 684 } 685 686 ATF_TC(recvfrom_heap_before_end); 687 ATF_TC_HEAD(recvfrom_heap_before_end, tc) 688 { 689 } 690 ATF_TC_BODY(recvfrom_heap_before_end, tc) 691 { 692 #define BUF __stack.__buf 693 struct { 694 uint8_t padding_l; 695 unsigned char * __buf; 696 uint8_t padding_r; 697 } __stack; 698 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 699 const size_t __len = 42 - 1; 700 const size_t __idx __unused = __len - 1; 701 int sock[2] = { -1, -1 }; 702 703 __stack.__buf = malloc(__bufsz); 704 new_socket(sock); 705 706 recvfrom(sock[0], __stack.__buf, __len, 0, NULL, NULL); 707 #undef BUF 708 709 } 710 711 ATF_TC(recvfrom_heap_end); 712 ATF_TC_HEAD(recvfrom_heap_end, tc) 713 { 714 } 715 ATF_TC_BODY(recvfrom_heap_end, tc) 716 { 717 #define BUF __stack.__buf 718 struct { 719 uint8_t padding_l; 720 unsigned char * __buf; 721 uint8_t padding_r; 722 } __stack; 723 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 724 const size_t __len = 42; 725 const size_t __idx __unused = __len - 1; 726 int sock[2] = { -1, -1 }; 727 728 __stack.__buf = malloc(__bufsz); 729 new_socket(sock); 730 731 recvfrom(sock[0], __stack.__buf, __len, 0, NULL, NULL); 732 #undef BUF 733 734 } 735 736 ATF_TC(recvfrom_heap_after_end); 737 ATF_TC_HEAD(recvfrom_heap_after_end, tc) 738 { 739 } 740 ATF_TC_BODY(recvfrom_heap_after_end, tc) 741 { 742 #define BUF __stack.__buf 743 struct { 744 uint8_t padding_l; 745 unsigned char * __buf; 746 uint8_t padding_r; 747 } __stack; 748 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 749 const size_t __len = 42 + 1; 750 const size_t __idx __unused = __len - 1; 751 pid_t __child; 752 int __status; 753 int sock[2] = { -1, -1 }; 754 755 __child = fork(); 756 ATF_REQUIRE(__child >= 0); 757 if (__child > 0) 758 goto monitor; 759 760 /* Child */ 761 disable_coredumps(); 762 __stack.__buf = malloc(__bufsz); 763 new_socket(sock); 764 765 recvfrom(sock[0], __stack.__buf, __len, 0, NULL, NULL); 766 _exit(EX_SOFTWARE); /* Should have aborted. */ 767 768 monitor: 769 while (waitpid(__child, &__status, 0) != __child) { 770 ATF_REQUIRE_EQ(EINTR, errno); 771 } 772 773 if (!WIFSIGNALED(__status)) { 774 switch (WEXITSTATUS(__status)) { 775 case EX_SOFTWARE: 776 atf_tc_fail("FORTIFY_SOURCE failed to abort"); 777 break; 778 case EX_OSERR: 779 atf_tc_fail("setrlimit(2) failed"); 780 break; 781 default: 782 atf_tc_fail("child exited with status %d", 783 WEXITSTATUS(__status)); 784 } 785 } else { 786 ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status)); 787 } 788 #undef BUF 789 790 } 791 792 ATF_TC(recvfrom_sockaddr_before_end); 793 ATF_TC_HEAD(recvfrom_sockaddr_before_end, tc) 794 { 795 } 796 ATF_TC_BODY(recvfrom_sockaddr_before_end, tc) 797 { 798 #define BUF &__stack.__buf 799 struct { 800 uint8_t padding_l; 801 struct sockaddr __buf; 802 uint8_t padding_r; 803 } __stack; 804 const size_t __bufsz __unused = sizeof(__stack.__buf); 805 const size_t __len = sizeof(struct sockaddr) - 1; 806 const size_t __idx __unused = __len - 1; 807 int sock[2] = { -1, -1 }; 808 char data[16]; 809 socklen_t socklen; 810 811 new_socket(sock); 812 socklen = __len; 813 814 recvfrom(sock[0], data, sizeof(data), 0, &__stack.__buf, &socklen); 815 #undef BUF 816 817 } 818 819 ATF_TC(recvfrom_sockaddr_end); 820 ATF_TC_HEAD(recvfrom_sockaddr_end, tc) 821 { 822 } 823 ATF_TC_BODY(recvfrom_sockaddr_end, tc) 824 { 825 #define BUF &__stack.__buf 826 struct { 827 uint8_t padding_l; 828 struct sockaddr __buf; 829 uint8_t padding_r; 830 } __stack; 831 const size_t __bufsz __unused = sizeof(__stack.__buf); 832 const size_t __len = sizeof(struct sockaddr); 833 const size_t __idx __unused = __len - 1; 834 int sock[2] = { -1, -1 }; 835 char data[16]; 836 socklen_t socklen; 837 838 new_socket(sock); 839 socklen = __len; 840 841 recvfrom(sock[0], data, sizeof(data), 0, &__stack.__buf, &socklen); 842 #undef BUF 843 844 } 845 846 ATF_TC(recvfrom_sockaddr_heap_before_end); 847 ATF_TC_HEAD(recvfrom_sockaddr_heap_before_end, tc) 848 { 849 } 850 ATF_TC_BODY(recvfrom_sockaddr_heap_before_end, tc) 851 { 852 #define BUF __stack.__buf 853 struct { 854 uint8_t padding_l; 855 struct sockaddr * __buf; 856 uint8_t padding_r; 857 } __stack; 858 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (1); 859 const size_t __len = sizeof(struct sockaddr) - 1; 860 const size_t __idx __unused = __len - 1; 861 int sock[2] = { -1, -1 }; 862 char data[16]; 863 socklen_t socklen; 864 865 __stack.__buf = malloc(__bufsz); 866 new_socket(sock); 867 socklen = __len; 868 869 recvfrom(sock[0], data, sizeof(data), 0, __stack.__buf, &socklen); 870 #undef BUF 871 872 } 873 874 ATF_TC(recvfrom_sockaddr_heap_end); 875 ATF_TC_HEAD(recvfrom_sockaddr_heap_end, tc) 876 { 877 } 878 ATF_TC_BODY(recvfrom_sockaddr_heap_end, tc) 879 { 880 #define BUF __stack.__buf 881 struct { 882 uint8_t padding_l; 883 struct sockaddr * __buf; 884 uint8_t padding_r; 885 } __stack; 886 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (1); 887 const size_t __len = sizeof(struct sockaddr); 888 const size_t __idx __unused = __len - 1; 889 int sock[2] = { -1, -1 }; 890 char data[16]; 891 socklen_t socklen; 892 893 __stack.__buf = malloc(__bufsz); 894 new_socket(sock); 895 socklen = __len; 896 897 recvfrom(sock[0], data, sizeof(data), 0, __stack.__buf, &socklen); 898 #undef BUF 899 900 } 901 902 ATF_TC(recvfrom_sockaddr_heap_after_end); 903 ATF_TC_HEAD(recvfrom_sockaddr_heap_after_end, tc) 904 { 905 } 906 ATF_TC_BODY(recvfrom_sockaddr_heap_after_end, tc) 907 { 908 #define BUF __stack.__buf 909 struct { 910 uint8_t padding_l; 911 struct sockaddr * __buf; 912 uint8_t padding_r; 913 } __stack; 914 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (1); 915 const size_t __len = sizeof(struct sockaddr) + 1; 916 const size_t __idx __unused = __len - 1; 917 pid_t __child; 918 int __status; 919 int sock[2] = { -1, -1 }; 920 char data[16]; 921 socklen_t socklen; 922 923 __child = fork(); 924 ATF_REQUIRE(__child >= 0); 925 if (__child > 0) 926 goto monitor; 927 928 /* Child */ 929 disable_coredumps(); 930 __stack.__buf = malloc(__bufsz); 931 new_socket(sock); 932 socklen = __len; 933 934 recvfrom(sock[0], data, sizeof(data), 0, __stack.__buf, &socklen); 935 _exit(EX_SOFTWARE); /* Should have aborted. */ 936 937 monitor: 938 while (waitpid(__child, &__status, 0) != __child) { 939 ATF_REQUIRE_EQ(EINTR, errno); 940 } 941 942 if (!WIFSIGNALED(__status)) { 943 switch (WEXITSTATUS(__status)) { 944 case EX_SOFTWARE: 945 atf_tc_fail("FORTIFY_SOURCE failed to abort"); 946 break; 947 case EX_OSERR: 948 atf_tc_fail("setrlimit(2) failed"); 949 break; 950 default: 951 atf_tc_fail("child exited with status %d", 952 WEXITSTATUS(__status)); 953 } 954 } else { 955 ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status)); 956 } 957 #undef BUF 958 959 } 960 961 ATF_TC(recvmsg_msg_name_before_end); 962 ATF_TC_HEAD(recvmsg_msg_name_before_end, tc) 963 { 964 } 965 ATF_TC_BODY(recvmsg_msg_name_before_end, tc) 966 { 967 #define BUF &__stack.__buf 968 struct { 969 uint8_t padding_l; 970 struct sockaddr __buf; 971 uint8_t padding_r; 972 } __stack; 973 const size_t __bufsz __unused = sizeof(__stack.__buf); 974 const size_t __len = sizeof(struct sockaddr) - 1; 975 const size_t __idx __unused = __len - 1; 976 int sock[2] = { -1, -1 }; 977 struct msghdr msg; 978 979 memset(&msg, 0, sizeof(msg)); 980 msg.msg_name = BUF; 981 msg.msg_namelen = __len; 982 983 recvmsg(sock[0], &msg, 0); 984 #undef BUF 985 986 } 987 988 ATF_TC(recvmsg_msg_name_end); 989 ATF_TC_HEAD(recvmsg_msg_name_end, tc) 990 { 991 } 992 ATF_TC_BODY(recvmsg_msg_name_end, tc) 993 { 994 #define BUF &__stack.__buf 995 struct { 996 uint8_t padding_l; 997 struct sockaddr __buf; 998 uint8_t padding_r; 999 } __stack; 1000 const size_t __bufsz __unused = sizeof(__stack.__buf); 1001 const size_t __len = sizeof(struct sockaddr); 1002 const size_t __idx __unused = __len - 1; 1003 int sock[2] = { -1, -1 }; 1004 struct msghdr msg; 1005 1006 memset(&msg, 0, sizeof(msg)); 1007 msg.msg_name = BUF; 1008 msg.msg_namelen = __len; 1009 1010 recvmsg(sock[0], &msg, 0); 1011 #undef BUF 1012 1013 } 1014 1015 ATF_TC(recvmsg_msg_name_heap_before_end); 1016 ATF_TC_HEAD(recvmsg_msg_name_heap_before_end, tc) 1017 { 1018 } 1019 ATF_TC_BODY(recvmsg_msg_name_heap_before_end, tc) 1020 { 1021 #define BUF __stack.__buf 1022 struct { 1023 uint8_t padding_l; 1024 struct sockaddr * __buf; 1025 uint8_t padding_r; 1026 } __stack; 1027 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (1); 1028 const size_t __len = sizeof(struct sockaddr) - 1; 1029 const size_t __idx __unused = __len - 1; 1030 int sock[2] = { -1, -1 }; 1031 struct msghdr msg; 1032 1033 __stack.__buf = malloc(__bufsz); 1034 memset(&msg, 0, sizeof(msg)); 1035 msg.msg_name = BUF; 1036 msg.msg_namelen = __len; 1037 1038 recvmsg(sock[0], &msg, 0); 1039 #undef BUF 1040 1041 } 1042 1043 ATF_TC(recvmsg_msg_name_heap_end); 1044 ATF_TC_HEAD(recvmsg_msg_name_heap_end, tc) 1045 { 1046 } 1047 ATF_TC_BODY(recvmsg_msg_name_heap_end, tc) 1048 { 1049 #define BUF __stack.__buf 1050 struct { 1051 uint8_t padding_l; 1052 struct sockaddr * __buf; 1053 uint8_t padding_r; 1054 } __stack; 1055 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (1); 1056 const size_t __len = sizeof(struct sockaddr); 1057 const size_t __idx __unused = __len - 1; 1058 int sock[2] = { -1, -1 }; 1059 struct msghdr msg; 1060 1061 __stack.__buf = malloc(__bufsz); 1062 memset(&msg, 0, sizeof(msg)); 1063 msg.msg_name = BUF; 1064 msg.msg_namelen = __len; 1065 1066 recvmsg(sock[0], &msg, 0); 1067 #undef BUF 1068 1069 } 1070 1071 ATF_TC(recvmsg_msg_name_heap_after_end); 1072 ATF_TC_HEAD(recvmsg_msg_name_heap_after_end, tc) 1073 { 1074 } 1075 ATF_TC_BODY(recvmsg_msg_name_heap_after_end, tc) 1076 { 1077 #define BUF __stack.__buf 1078 struct { 1079 uint8_t padding_l; 1080 struct sockaddr * __buf; 1081 uint8_t padding_r; 1082 } __stack; 1083 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (1); 1084 const size_t __len = sizeof(struct sockaddr) + 1; 1085 const size_t __idx __unused = __len - 1; 1086 pid_t __child; 1087 int __status; 1088 int sock[2] = { -1, -1 }; 1089 struct msghdr msg; 1090 1091 __child = fork(); 1092 ATF_REQUIRE(__child >= 0); 1093 if (__child > 0) 1094 goto monitor; 1095 1096 /* Child */ 1097 disable_coredumps(); 1098 __stack.__buf = malloc(__bufsz); 1099 memset(&msg, 0, sizeof(msg)); 1100 msg.msg_name = BUF; 1101 msg.msg_namelen = __len; 1102 1103 recvmsg(sock[0], &msg, 0); 1104 _exit(EX_SOFTWARE); /* Should have aborted. */ 1105 1106 monitor: 1107 while (waitpid(__child, &__status, 0) != __child) { 1108 ATF_REQUIRE_EQ(EINTR, errno); 1109 } 1110 1111 if (!WIFSIGNALED(__status)) { 1112 switch (WEXITSTATUS(__status)) { 1113 case EX_SOFTWARE: 1114 atf_tc_fail("FORTIFY_SOURCE failed to abort"); 1115 break; 1116 case EX_OSERR: 1117 atf_tc_fail("setrlimit(2) failed"); 1118 break; 1119 default: 1120 atf_tc_fail("child exited with status %d", 1121 WEXITSTATUS(__status)); 1122 } 1123 } else { 1124 ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status)); 1125 } 1126 #undef BUF 1127 1128 } 1129 1130 ATF_TC(recvmsg_msg_iov_before_end); 1131 ATF_TC_HEAD(recvmsg_msg_iov_before_end, tc) 1132 { 1133 } 1134 ATF_TC_BODY(recvmsg_msg_iov_before_end, tc) 1135 { 1136 #define BUF &__stack.__buf 1137 struct { 1138 uint8_t padding_l; 1139 unsigned char __buf[42]; 1140 uint8_t padding_r; 1141 } __stack; 1142 const size_t __bufsz __unused = sizeof(__stack.__buf); 1143 const size_t __len = 42 - 1; 1144 const size_t __idx __unused = __len - 1; 1145 int sock[2] = { -1, -1 }; 1146 struct msghdr msg; 1147 struct iovec iov[2]; 1148 1149 memset(&msg, 0, sizeof(msg)); 1150 memset(&iov[0], 0, sizeof(iov)); 1151 1152 /* 1153 * We position the buffer second just so that we can confirm that the 1154 * fortification bits are traversing the iovec correctly. 1155 */ 1156 iov[1].iov_base = BUF; 1157 iov[1].iov_len = __len; 1158 1159 msg.msg_iov = &iov[0]; 1160 msg.msg_iovlen = nitems(iov); 1161 1162 recvmsg(sock[0], &msg, 0); 1163 #undef BUF 1164 1165 } 1166 1167 ATF_TC(recvmsg_msg_iov_end); 1168 ATF_TC_HEAD(recvmsg_msg_iov_end, tc) 1169 { 1170 } 1171 ATF_TC_BODY(recvmsg_msg_iov_end, tc) 1172 { 1173 #define BUF &__stack.__buf 1174 struct { 1175 uint8_t padding_l; 1176 unsigned char __buf[42]; 1177 uint8_t padding_r; 1178 } __stack; 1179 const size_t __bufsz __unused = sizeof(__stack.__buf); 1180 const size_t __len = 42; 1181 const size_t __idx __unused = __len - 1; 1182 int sock[2] = { -1, -1 }; 1183 struct msghdr msg; 1184 struct iovec iov[2]; 1185 1186 memset(&msg, 0, sizeof(msg)); 1187 memset(&iov[0], 0, sizeof(iov)); 1188 1189 /* 1190 * We position the buffer second just so that we can confirm that the 1191 * fortification bits are traversing the iovec correctly. 1192 */ 1193 iov[1].iov_base = BUF; 1194 iov[1].iov_len = __len; 1195 1196 msg.msg_iov = &iov[0]; 1197 msg.msg_iovlen = nitems(iov); 1198 1199 recvmsg(sock[0], &msg, 0); 1200 #undef BUF 1201 1202 } 1203 1204 ATF_TC(recvmsg_msg_iov_heap_before_end); 1205 ATF_TC_HEAD(recvmsg_msg_iov_heap_before_end, tc) 1206 { 1207 } 1208 ATF_TC_BODY(recvmsg_msg_iov_heap_before_end, tc) 1209 { 1210 #define BUF __stack.__buf 1211 struct { 1212 uint8_t padding_l; 1213 unsigned char * __buf; 1214 uint8_t padding_r; 1215 } __stack; 1216 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 1217 const size_t __len = 42 - 1; 1218 const size_t __idx __unused = __len - 1; 1219 int sock[2] = { -1, -1 }; 1220 struct msghdr msg; 1221 struct iovec iov[2]; 1222 1223 __stack.__buf = malloc(__bufsz); 1224 memset(&msg, 0, sizeof(msg)); 1225 memset(&iov[0], 0, sizeof(iov)); 1226 1227 /* 1228 * We position the buffer second just so that we can confirm that the 1229 * fortification bits are traversing the iovec correctly. 1230 */ 1231 iov[1].iov_base = BUF; 1232 iov[1].iov_len = __len; 1233 1234 msg.msg_iov = &iov[0]; 1235 msg.msg_iovlen = nitems(iov); 1236 1237 recvmsg(sock[0], &msg, 0); 1238 #undef BUF 1239 1240 } 1241 1242 ATF_TC(recvmsg_msg_iov_heap_end); 1243 ATF_TC_HEAD(recvmsg_msg_iov_heap_end, tc) 1244 { 1245 } 1246 ATF_TC_BODY(recvmsg_msg_iov_heap_end, tc) 1247 { 1248 #define BUF __stack.__buf 1249 struct { 1250 uint8_t padding_l; 1251 unsigned char * __buf; 1252 uint8_t padding_r; 1253 } __stack; 1254 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 1255 const size_t __len = 42; 1256 const size_t __idx __unused = __len - 1; 1257 int sock[2] = { -1, -1 }; 1258 struct msghdr msg; 1259 struct iovec iov[2]; 1260 1261 __stack.__buf = malloc(__bufsz); 1262 memset(&msg, 0, sizeof(msg)); 1263 memset(&iov[0], 0, sizeof(iov)); 1264 1265 /* 1266 * We position the buffer second just so that we can confirm that the 1267 * fortification bits are traversing the iovec correctly. 1268 */ 1269 iov[1].iov_base = BUF; 1270 iov[1].iov_len = __len; 1271 1272 msg.msg_iov = &iov[0]; 1273 msg.msg_iovlen = nitems(iov); 1274 1275 recvmsg(sock[0], &msg, 0); 1276 #undef BUF 1277 1278 } 1279 1280 ATF_TC(recvmsg_msg_iov_heap_after_end); 1281 ATF_TC_HEAD(recvmsg_msg_iov_heap_after_end, tc) 1282 { 1283 } 1284 ATF_TC_BODY(recvmsg_msg_iov_heap_after_end, tc) 1285 { 1286 #define BUF __stack.__buf 1287 struct { 1288 uint8_t padding_l; 1289 unsigned char * __buf; 1290 uint8_t padding_r; 1291 } __stack; 1292 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 1293 const size_t __len = 42 + 1; 1294 const size_t __idx __unused = __len - 1; 1295 pid_t __child; 1296 int __status; 1297 int sock[2] = { -1, -1 }; 1298 struct msghdr msg; 1299 struct iovec iov[2]; 1300 1301 __child = fork(); 1302 ATF_REQUIRE(__child >= 0); 1303 if (__child > 0) 1304 goto monitor; 1305 1306 /* Child */ 1307 disable_coredumps(); 1308 __stack.__buf = malloc(__bufsz); 1309 memset(&msg, 0, sizeof(msg)); 1310 memset(&iov[0], 0, sizeof(iov)); 1311 1312 /* 1313 * We position the buffer second just so that we can confirm that the 1314 * fortification bits are traversing the iovec correctly. 1315 */ 1316 iov[1].iov_base = BUF; 1317 iov[1].iov_len = __len; 1318 1319 msg.msg_iov = &iov[0]; 1320 msg.msg_iovlen = nitems(iov); 1321 1322 recvmsg(sock[0], &msg, 0); 1323 _exit(EX_SOFTWARE); /* Should have aborted. */ 1324 1325 monitor: 1326 while (waitpid(__child, &__status, 0) != __child) { 1327 ATF_REQUIRE_EQ(EINTR, errno); 1328 } 1329 1330 if (!WIFSIGNALED(__status)) { 1331 switch (WEXITSTATUS(__status)) { 1332 case EX_SOFTWARE: 1333 atf_tc_fail("FORTIFY_SOURCE failed to abort"); 1334 break; 1335 case EX_OSERR: 1336 atf_tc_fail("setrlimit(2) failed"); 1337 break; 1338 default: 1339 atf_tc_fail("child exited with status %d", 1340 WEXITSTATUS(__status)); 1341 } 1342 } else { 1343 ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status)); 1344 } 1345 #undef BUF 1346 1347 } 1348 1349 ATF_TC(recvmsg_msg_control_before_end); 1350 ATF_TC_HEAD(recvmsg_msg_control_before_end, tc) 1351 { 1352 } 1353 ATF_TC_BODY(recvmsg_msg_control_before_end, tc) 1354 { 1355 #define BUF &__stack.__buf 1356 struct { 1357 uint8_t padding_l; 1358 unsigned char __buf[CMSG_SPACE(sizeof(int))]; 1359 uint8_t padding_r; 1360 } __stack; 1361 const size_t __bufsz __unused = sizeof(__stack.__buf); 1362 const size_t __len = CMSG_SPACE(sizeof(int)) - 1; 1363 const size_t __idx __unused = __len - 1; 1364 int sock[2] = { -1, -1 }; 1365 struct msghdr msg; 1366 1367 memset(&msg, 0, sizeof(msg)); 1368 1369 msg.msg_control = BUF; 1370 msg.msg_controllen = __len; 1371 1372 recvmsg(sock[0], &msg, 0); 1373 #undef BUF 1374 1375 } 1376 1377 ATF_TC(recvmsg_msg_control_end); 1378 ATF_TC_HEAD(recvmsg_msg_control_end, tc) 1379 { 1380 } 1381 ATF_TC_BODY(recvmsg_msg_control_end, tc) 1382 { 1383 #define BUF &__stack.__buf 1384 struct { 1385 uint8_t padding_l; 1386 unsigned char __buf[CMSG_SPACE(sizeof(int))]; 1387 uint8_t padding_r; 1388 } __stack; 1389 const size_t __bufsz __unused = sizeof(__stack.__buf); 1390 const size_t __len = CMSG_SPACE(sizeof(int)); 1391 const size_t __idx __unused = __len - 1; 1392 int sock[2] = { -1, -1 }; 1393 struct msghdr msg; 1394 1395 memset(&msg, 0, sizeof(msg)); 1396 1397 msg.msg_control = BUF; 1398 msg.msg_controllen = __len; 1399 1400 recvmsg(sock[0], &msg, 0); 1401 #undef BUF 1402 1403 } 1404 1405 ATF_TC(recvmsg_msg_control_heap_before_end); 1406 ATF_TC_HEAD(recvmsg_msg_control_heap_before_end, tc) 1407 { 1408 } 1409 ATF_TC_BODY(recvmsg_msg_control_heap_before_end, tc) 1410 { 1411 #define BUF __stack.__buf 1412 struct { 1413 uint8_t padding_l; 1414 unsigned char * __buf; 1415 uint8_t padding_r; 1416 } __stack; 1417 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (CMSG_SPACE(sizeof(int))); 1418 const size_t __len = CMSG_SPACE(sizeof(int)) - 1; 1419 const size_t __idx __unused = __len - 1; 1420 int sock[2] = { -1, -1 }; 1421 struct msghdr msg; 1422 1423 __stack.__buf = malloc(__bufsz); 1424 memset(&msg, 0, sizeof(msg)); 1425 1426 msg.msg_control = BUF; 1427 msg.msg_controllen = __len; 1428 1429 recvmsg(sock[0], &msg, 0); 1430 #undef BUF 1431 1432 } 1433 1434 ATF_TC(recvmsg_msg_control_heap_end); 1435 ATF_TC_HEAD(recvmsg_msg_control_heap_end, tc) 1436 { 1437 } 1438 ATF_TC_BODY(recvmsg_msg_control_heap_end, tc) 1439 { 1440 #define BUF __stack.__buf 1441 struct { 1442 uint8_t padding_l; 1443 unsigned char * __buf; 1444 uint8_t padding_r; 1445 } __stack; 1446 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (CMSG_SPACE(sizeof(int))); 1447 const size_t __len = CMSG_SPACE(sizeof(int)); 1448 const size_t __idx __unused = __len - 1; 1449 int sock[2] = { -1, -1 }; 1450 struct msghdr msg; 1451 1452 __stack.__buf = malloc(__bufsz); 1453 memset(&msg, 0, sizeof(msg)); 1454 1455 msg.msg_control = BUF; 1456 msg.msg_controllen = __len; 1457 1458 recvmsg(sock[0], &msg, 0); 1459 #undef BUF 1460 1461 } 1462 1463 ATF_TC(recvmsg_msg_control_heap_after_end); 1464 ATF_TC_HEAD(recvmsg_msg_control_heap_after_end, tc) 1465 { 1466 } 1467 ATF_TC_BODY(recvmsg_msg_control_heap_after_end, tc) 1468 { 1469 #define BUF __stack.__buf 1470 struct { 1471 uint8_t padding_l; 1472 unsigned char * __buf; 1473 uint8_t padding_r; 1474 } __stack; 1475 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (CMSG_SPACE(sizeof(int))); 1476 const size_t __len = CMSG_SPACE(sizeof(int)) + 1; 1477 const size_t __idx __unused = __len - 1; 1478 pid_t __child; 1479 int __status; 1480 int sock[2] = { -1, -1 }; 1481 struct msghdr msg; 1482 1483 __child = fork(); 1484 ATF_REQUIRE(__child >= 0); 1485 if (__child > 0) 1486 goto monitor; 1487 1488 /* Child */ 1489 disable_coredumps(); 1490 __stack.__buf = malloc(__bufsz); 1491 memset(&msg, 0, sizeof(msg)); 1492 1493 msg.msg_control = BUF; 1494 msg.msg_controllen = __len; 1495 1496 recvmsg(sock[0], &msg, 0); 1497 _exit(EX_SOFTWARE); /* Should have aborted. */ 1498 1499 monitor: 1500 while (waitpid(__child, &__status, 0) != __child) { 1501 ATF_REQUIRE_EQ(EINTR, errno); 1502 } 1503 1504 if (!WIFSIGNALED(__status)) { 1505 switch (WEXITSTATUS(__status)) { 1506 case EX_SOFTWARE: 1507 atf_tc_fail("FORTIFY_SOURCE failed to abort"); 1508 break; 1509 case EX_OSERR: 1510 atf_tc_fail("setrlimit(2) failed"); 1511 break; 1512 default: 1513 atf_tc_fail("child exited with status %d", 1514 WEXITSTATUS(__status)); 1515 } 1516 } else { 1517 ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status)); 1518 } 1519 #undef BUF 1520 1521 } 1522 1523 ATF_TC(recvmmsg_msgvec_before_end); 1524 ATF_TC_HEAD(recvmmsg_msgvec_before_end, tc) 1525 { 1526 } 1527 ATF_TC_BODY(recvmmsg_msgvec_before_end, tc) 1528 { 1529 #define BUF &__stack.__buf 1530 struct { 1531 uint8_t padding_l; 1532 struct mmsghdr __buf[2]; 1533 uint8_t padding_r; 1534 } __stack; 1535 const size_t __bufsz __unused = sizeof(__stack.__buf); 1536 const size_t __len = 2 - 1; 1537 const size_t __idx __unused = __len - 1; 1538 int sock[2] = { -1, -1 }; 1539 1540 recvmmsg(sock[0], __stack.__buf, __len, 0, NULL); 1541 #undef BUF 1542 1543 } 1544 1545 ATF_TC(recvmmsg_msgvec_end); 1546 ATF_TC_HEAD(recvmmsg_msgvec_end, tc) 1547 { 1548 } 1549 ATF_TC_BODY(recvmmsg_msgvec_end, tc) 1550 { 1551 #define BUF &__stack.__buf 1552 struct { 1553 uint8_t padding_l; 1554 struct mmsghdr __buf[2]; 1555 uint8_t padding_r; 1556 } __stack; 1557 const size_t __bufsz __unused = sizeof(__stack.__buf); 1558 const size_t __len = 2; 1559 const size_t __idx __unused = __len - 1; 1560 int sock[2] = { -1, -1 }; 1561 1562 recvmmsg(sock[0], __stack.__buf, __len, 0, NULL); 1563 #undef BUF 1564 1565 } 1566 1567 ATF_TC(recvmmsg_msgvec_after_end); 1568 ATF_TC_HEAD(recvmmsg_msgvec_after_end, tc) 1569 { 1570 } 1571 ATF_TC_BODY(recvmmsg_msgvec_after_end, tc) 1572 { 1573 #define BUF &__stack.__buf 1574 struct { 1575 uint8_t padding_l; 1576 struct mmsghdr __buf[2]; 1577 uint8_t padding_r; 1578 } __stack; 1579 const size_t __bufsz __unused = sizeof(__stack.__buf); 1580 const size_t __len = 2 + 1; 1581 const size_t __idx __unused = __len - 1; 1582 pid_t __child; 1583 int __status; 1584 int sock[2] = { -1, -1 }; 1585 1586 __child = fork(); 1587 ATF_REQUIRE(__child >= 0); 1588 if (__child > 0) 1589 goto monitor; 1590 1591 /* Child */ 1592 disable_coredumps(); 1593 recvmmsg(sock[0], __stack.__buf, __len, 0, NULL); 1594 _exit(EX_SOFTWARE); /* Should have aborted. */ 1595 1596 monitor: 1597 while (waitpid(__child, &__status, 0) != __child) { 1598 ATF_REQUIRE_EQ(EINTR, errno); 1599 } 1600 1601 if (!WIFSIGNALED(__status)) { 1602 switch (WEXITSTATUS(__status)) { 1603 case EX_SOFTWARE: 1604 atf_tc_fail("FORTIFY_SOURCE failed to abort"); 1605 break; 1606 case EX_OSERR: 1607 atf_tc_fail("setrlimit(2) failed"); 1608 break; 1609 default: 1610 atf_tc_fail("child exited with status %d", 1611 WEXITSTATUS(__status)); 1612 } 1613 } else { 1614 ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status)); 1615 } 1616 #undef BUF 1617 1618 } 1619 1620 ATF_TC(recvmmsg_msgvec_heap_before_end); 1621 ATF_TC_HEAD(recvmmsg_msgvec_heap_before_end, tc) 1622 { 1623 } 1624 ATF_TC_BODY(recvmmsg_msgvec_heap_before_end, tc) 1625 { 1626 #define BUF __stack.__buf 1627 struct { 1628 uint8_t padding_l; 1629 struct mmsghdr * __buf; 1630 uint8_t padding_r; 1631 } __stack; 1632 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (2); 1633 const size_t __len = 2 - 1; 1634 const size_t __idx __unused = __len - 1; 1635 int sock[2] = { -1, -1 }; 1636 1637 __stack.__buf = malloc(__bufsz); 1638 1639 recvmmsg(sock[0], __stack.__buf, __len, 0, NULL); 1640 #undef BUF 1641 1642 } 1643 1644 ATF_TC(recvmmsg_msgvec_heap_end); 1645 ATF_TC_HEAD(recvmmsg_msgvec_heap_end, tc) 1646 { 1647 } 1648 ATF_TC_BODY(recvmmsg_msgvec_heap_end, tc) 1649 { 1650 #define BUF __stack.__buf 1651 struct { 1652 uint8_t padding_l; 1653 struct mmsghdr * __buf; 1654 uint8_t padding_r; 1655 } __stack; 1656 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (2); 1657 const size_t __len = 2; 1658 const size_t __idx __unused = __len - 1; 1659 int sock[2] = { -1, -1 }; 1660 1661 __stack.__buf = malloc(__bufsz); 1662 1663 recvmmsg(sock[0], __stack.__buf, __len, 0, NULL); 1664 #undef BUF 1665 1666 } 1667 1668 ATF_TC(recvmmsg_msgvec_heap_after_end); 1669 ATF_TC_HEAD(recvmmsg_msgvec_heap_after_end, tc) 1670 { 1671 } 1672 ATF_TC_BODY(recvmmsg_msgvec_heap_after_end, tc) 1673 { 1674 #define BUF __stack.__buf 1675 struct { 1676 uint8_t padding_l; 1677 struct mmsghdr * __buf; 1678 uint8_t padding_r; 1679 } __stack; 1680 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (2); 1681 const size_t __len = 2 + 1; 1682 const size_t __idx __unused = __len - 1; 1683 pid_t __child; 1684 int __status; 1685 int sock[2] = { -1, -1 }; 1686 1687 __child = fork(); 1688 ATF_REQUIRE(__child >= 0); 1689 if (__child > 0) 1690 goto monitor; 1691 1692 /* Child */ 1693 disable_coredumps(); 1694 __stack.__buf = malloc(__bufsz); 1695 1696 recvmmsg(sock[0], __stack.__buf, __len, 0, NULL); 1697 _exit(EX_SOFTWARE); /* Should have aborted. */ 1698 1699 monitor: 1700 while (waitpid(__child, &__status, 0) != __child) { 1701 ATF_REQUIRE_EQ(EINTR, errno); 1702 } 1703 1704 if (!WIFSIGNALED(__status)) { 1705 switch (WEXITSTATUS(__status)) { 1706 case EX_SOFTWARE: 1707 atf_tc_fail("FORTIFY_SOURCE failed to abort"); 1708 break; 1709 case EX_OSERR: 1710 atf_tc_fail("setrlimit(2) failed"); 1711 break; 1712 default: 1713 atf_tc_fail("child exited with status %d", 1714 WEXITSTATUS(__status)); 1715 } 1716 } else { 1717 ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status)); 1718 } 1719 #undef BUF 1720 1721 } 1722 1723 ATF_TC(recvmmsg_msghdr_before_end); 1724 ATF_TC_HEAD(recvmmsg_msghdr_before_end, tc) 1725 { 1726 } 1727 ATF_TC_BODY(recvmmsg_msghdr_before_end, tc) 1728 { 1729 #define BUF &__stack.__buf 1730 struct { 1731 uint8_t padding_l; 1732 unsigned char __buf[42]; 1733 uint8_t padding_r; 1734 } __stack; 1735 const size_t __bufsz __unused = sizeof(__stack.__buf); 1736 const size_t __len = 42 - 1; 1737 const size_t __idx __unused = __len - 1; 1738 int sock[2] = { -1, -1 }; 1739 struct mmsghdr msgvec[2]; 1740 1741 memset(&msgvec[0], 0, sizeof(msgvec)); 1742 1743 /* 1744 * Same as above, make sure fortification isn't ignoring n > 1 elements 1745 * of the msgvec. 1746 */ 1747 msgvec[1].msg_hdr.msg_control = BUF; 1748 msgvec[1].msg_hdr.msg_controllen = __len; 1749 1750 recvmmsg(sock[0], &msgvec[0], nitems(msgvec), 0, NULL); 1751 #undef BUF 1752 1753 } 1754 1755 ATF_TC(recvmmsg_msghdr_end); 1756 ATF_TC_HEAD(recvmmsg_msghdr_end, tc) 1757 { 1758 } 1759 ATF_TC_BODY(recvmmsg_msghdr_end, tc) 1760 { 1761 #define BUF &__stack.__buf 1762 struct { 1763 uint8_t padding_l; 1764 unsigned char __buf[42]; 1765 uint8_t padding_r; 1766 } __stack; 1767 const size_t __bufsz __unused = sizeof(__stack.__buf); 1768 const size_t __len = 42; 1769 const size_t __idx __unused = __len - 1; 1770 int sock[2] = { -1, -1 }; 1771 struct mmsghdr msgvec[2]; 1772 1773 memset(&msgvec[0], 0, sizeof(msgvec)); 1774 1775 /* 1776 * Same as above, make sure fortification isn't ignoring n > 1 elements 1777 * of the msgvec. 1778 */ 1779 msgvec[1].msg_hdr.msg_control = BUF; 1780 msgvec[1].msg_hdr.msg_controllen = __len; 1781 1782 recvmmsg(sock[0], &msgvec[0], nitems(msgvec), 0, NULL); 1783 #undef BUF 1784 1785 } 1786 1787 ATF_TC(recvmmsg_msghdr_heap_before_end); 1788 ATF_TC_HEAD(recvmmsg_msghdr_heap_before_end, tc) 1789 { 1790 } 1791 ATF_TC_BODY(recvmmsg_msghdr_heap_before_end, tc) 1792 { 1793 #define BUF __stack.__buf 1794 struct { 1795 uint8_t padding_l; 1796 unsigned char * __buf; 1797 uint8_t padding_r; 1798 } __stack; 1799 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 1800 const size_t __len = 42 - 1; 1801 const size_t __idx __unused = __len - 1; 1802 int sock[2] = { -1, -1 }; 1803 struct mmsghdr msgvec[2]; 1804 1805 __stack.__buf = malloc(__bufsz); 1806 memset(&msgvec[0], 0, sizeof(msgvec)); 1807 1808 /* 1809 * Same as above, make sure fortification isn't ignoring n > 1 elements 1810 * of the msgvec. 1811 */ 1812 msgvec[1].msg_hdr.msg_control = BUF; 1813 msgvec[1].msg_hdr.msg_controllen = __len; 1814 1815 recvmmsg(sock[0], &msgvec[0], nitems(msgvec), 0, NULL); 1816 #undef BUF 1817 1818 } 1819 1820 ATF_TC(recvmmsg_msghdr_heap_end); 1821 ATF_TC_HEAD(recvmmsg_msghdr_heap_end, tc) 1822 { 1823 } 1824 ATF_TC_BODY(recvmmsg_msghdr_heap_end, tc) 1825 { 1826 #define BUF __stack.__buf 1827 struct { 1828 uint8_t padding_l; 1829 unsigned char * __buf; 1830 uint8_t padding_r; 1831 } __stack; 1832 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 1833 const size_t __len = 42; 1834 const size_t __idx __unused = __len - 1; 1835 int sock[2] = { -1, -1 }; 1836 struct mmsghdr msgvec[2]; 1837 1838 __stack.__buf = malloc(__bufsz); 1839 memset(&msgvec[0], 0, sizeof(msgvec)); 1840 1841 /* 1842 * Same as above, make sure fortification isn't ignoring n > 1 elements 1843 * of the msgvec. 1844 */ 1845 msgvec[1].msg_hdr.msg_control = BUF; 1846 msgvec[1].msg_hdr.msg_controllen = __len; 1847 1848 recvmmsg(sock[0], &msgvec[0], nitems(msgvec), 0, NULL); 1849 #undef BUF 1850 1851 } 1852 1853 ATF_TC(recvmmsg_msghdr_heap_after_end); 1854 ATF_TC_HEAD(recvmmsg_msghdr_heap_after_end, tc) 1855 { 1856 } 1857 ATF_TC_BODY(recvmmsg_msghdr_heap_after_end, tc) 1858 { 1859 #define BUF __stack.__buf 1860 struct { 1861 uint8_t padding_l; 1862 unsigned char * __buf; 1863 uint8_t padding_r; 1864 } __stack; 1865 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 1866 const size_t __len = 42 + 1; 1867 const size_t __idx __unused = __len - 1; 1868 pid_t __child; 1869 int __status; 1870 int sock[2] = { -1, -1 }; 1871 struct mmsghdr msgvec[2]; 1872 1873 __child = fork(); 1874 ATF_REQUIRE(__child >= 0); 1875 if (__child > 0) 1876 goto monitor; 1877 1878 /* Child */ 1879 disable_coredumps(); 1880 __stack.__buf = malloc(__bufsz); 1881 memset(&msgvec[0], 0, sizeof(msgvec)); 1882 1883 /* 1884 * Same as above, make sure fortification isn't ignoring n > 1 elements 1885 * of the msgvec. 1886 */ 1887 msgvec[1].msg_hdr.msg_control = BUF; 1888 msgvec[1].msg_hdr.msg_controllen = __len; 1889 1890 recvmmsg(sock[0], &msgvec[0], nitems(msgvec), 0, NULL); 1891 _exit(EX_SOFTWARE); /* Should have aborted. */ 1892 1893 monitor: 1894 while (waitpid(__child, &__status, 0) != __child) { 1895 ATF_REQUIRE_EQ(EINTR, errno); 1896 } 1897 1898 if (!WIFSIGNALED(__status)) { 1899 switch (WEXITSTATUS(__status)) { 1900 case EX_SOFTWARE: 1901 atf_tc_fail("FORTIFY_SOURCE failed to abort"); 1902 break; 1903 case EX_OSERR: 1904 atf_tc_fail("setrlimit(2) failed"); 1905 break; 1906 default: 1907 atf_tc_fail("child exited with status %d", 1908 WEXITSTATUS(__status)); 1909 } 1910 } else { 1911 ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status)); 1912 } 1913 #undef BUF 1914 1915 } 1916 1917 ATF_TP_ADD_TCS(tp) 1918 { 1919 ATF_TP_ADD_TC(tp, getpeername_before_end); 1920 ATF_TP_ADD_TC(tp, getpeername_end); 1921 ATF_TP_ADD_TC(tp, getpeername_heap_before_end); 1922 ATF_TP_ADD_TC(tp, getpeername_heap_end); 1923 ATF_TP_ADD_TC(tp, getpeername_heap_after_end); 1924 ATF_TP_ADD_TC(tp, getsockname_before_end); 1925 ATF_TP_ADD_TC(tp, getsockname_end); 1926 ATF_TP_ADD_TC(tp, getsockname_heap_before_end); 1927 ATF_TP_ADD_TC(tp, getsockname_heap_end); 1928 ATF_TP_ADD_TC(tp, getsockname_heap_after_end); 1929 ATF_TP_ADD_TC(tp, recv_before_end); 1930 ATF_TP_ADD_TC(tp, recv_end); 1931 ATF_TP_ADD_TC(tp, recv_heap_before_end); 1932 ATF_TP_ADD_TC(tp, recv_heap_end); 1933 ATF_TP_ADD_TC(tp, recv_heap_after_end); 1934 ATF_TP_ADD_TC(tp, recvfrom_before_end); 1935 ATF_TP_ADD_TC(tp, recvfrom_end); 1936 ATF_TP_ADD_TC(tp, recvfrom_heap_before_end); 1937 ATF_TP_ADD_TC(tp, recvfrom_heap_end); 1938 ATF_TP_ADD_TC(tp, recvfrom_heap_after_end); 1939 ATF_TP_ADD_TC(tp, recvfrom_sockaddr_before_end); 1940 ATF_TP_ADD_TC(tp, recvfrom_sockaddr_end); 1941 ATF_TP_ADD_TC(tp, recvfrom_sockaddr_heap_before_end); 1942 ATF_TP_ADD_TC(tp, recvfrom_sockaddr_heap_end); 1943 ATF_TP_ADD_TC(tp, recvfrom_sockaddr_heap_after_end); 1944 ATF_TP_ADD_TC(tp, recvmsg_msg_name_before_end); 1945 ATF_TP_ADD_TC(tp, recvmsg_msg_name_end); 1946 ATF_TP_ADD_TC(tp, recvmsg_msg_name_heap_before_end); 1947 ATF_TP_ADD_TC(tp, recvmsg_msg_name_heap_end); 1948 ATF_TP_ADD_TC(tp, recvmsg_msg_name_heap_after_end); 1949 ATF_TP_ADD_TC(tp, recvmsg_msg_iov_before_end); 1950 ATF_TP_ADD_TC(tp, recvmsg_msg_iov_end); 1951 ATF_TP_ADD_TC(tp, recvmsg_msg_iov_heap_before_end); 1952 ATF_TP_ADD_TC(tp, recvmsg_msg_iov_heap_end); 1953 ATF_TP_ADD_TC(tp, recvmsg_msg_iov_heap_after_end); 1954 ATF_TP_ADD_TC(tp, recvmsg_msg_control_before_end); 1955 ATF_TP_ADD_TC(tp, recvmsg_msg_control_end); 1956 ATF_TP_ADD_TC(tp, recvmsg_msg_control_heap_before_end); 1957 ATF_TP_ADD_TC(tp, recvmsg_msg_control_heap_end); 1958 ATF_TP_ADD_TC(tp, recvmsg_msg_control_heap_after_end); 1959 ATF_TP_ADD_TC(tp, recvmmsg_msgvec_before_end); 1960 ATF_TP_ADD_TC(tp, recvmmsg_msgvec_end); 1961 ATF_TP_ADD_TC(tp, recvmmsg_msgvec_after_end); 1962 ATF_TP_ADD_TC(tp, recvmmsg_msgvec_heap_before_end); 1963 ATF_TP_ADD_TC(tp, recvmmsg_msgvec_heap_end); 1964 ATF_TP_ADD_TC(tp, recvmmsg_msgvec_heap_after_end); 1965 ATF_TP_ADD_TC(tp, recvmmsg_msghdr_before_end); 1966 ATF_TP_ADD_TC(tp, recvmmsg_msghdr_end); 1967 ATF_TP_ADD_TC(tp, recvmmsg_msghdr_heap_before_end); 1968 ATF_TP_ADD_TC(tp, recvmmsg_msghdr_heap_end); 1969 ATF_TP_ADD_TC(tp, recvmmsg_msghdr_heap_after_end); 1970 return (atf_no_error()); 1971 } 1972